Status: Beta

| Madwifi 0.9.3.2 and earlier allows remote attackers to cause a denial
| of service (panic) via a beacon frame with a large length value in the
| extended supported rates (xrates) element, which triggers an assertion
| error, related to net80211/ieee80211_scan_ap.c and
| net80211/ieee80211_scan_sta.c.

One interesting fact is that net80211/ieee80211_scan_ap.c is not prone to
this vulnerability in any of our releases. r2724 is the first revision
where net80211/ieee80211_scan_ap.c is vulnerable.